Skip to content

Network#

This section describes how to create and configure the AWS Network components required to allow communication between the several application components, the database, storage, external components service, and incoming web traffic.

Critical Manufacturing MES requires a well-configured network to ensure secure, fast, and reliable communication between its components (Kubernetes pods, SQL Server database, and external services). The following configurations are essential for proper operation.

Key Components#

  • VPC: Create an isolated Virtual Private Cloud (VPC) for the MES system, ensuring that the EKS cluster, SQL Server, and other components are secure and have controlled access.
  • Subnets: Use both public and private subnets:
    • Public Subnets for exposing load balancers and external services.
    • Private Subnets for keeping the MES containers and SQL Server secure from direct internet exposure.
  • Security Groups: Define security groups to control traffic, such as allow ingress from the load balancers to the EKS services.
  • NAT Gateways: Ensure private subnets have outbound internet access for software updates and external communication needs of MES pods.
  • Internet Gateways: Allows resources in the public subnets, with a public IP, to access the internet, both inbound and outbound traffic.

This setup provides an isolated and secure network for the MES components while maintaining access to essential external services.

Note

More information: https://docs.aws.amazon.com/vpc/ ⧉

Configuration Steps#

  1. Open the AWS Management Console ⧉
  2. Search for VPC and open
  3. Click Create VPC
  4. Choose VPC and more
  5. If required, change the configuration according to your needs
  6. Create VPC
  7. Click Create VPC

Example steps for the creation of a VPC, with two Availability Zones, each one with a private subnet, a public subnet, and outbound Internet connection:

# Step 1: Create VPC
echo "Creating VPC..."
VPC_ID=$(aws ec2 create-vpc --cidr-block "10.0.0.0/16" --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=cm-vpc}]' --query 'Vpc.VpcId' --output text)
echo "VPC ID: $VPC_ID"

# Step 2: Modify VPC attributes (Enable DNS hostnames)
echo "Enabling DNS hostnames for the VPC..."
aws ec2 modify-vpc-attribute --vpc-id $VPC_ID --enable-dns-hostnames "{\"Value\":true}"

# Step 3: Create public subnets
echo "Creating public subnets..."
SUBNET_PUBLIC1=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block "10.0.0.0/20" --availability-zone "us-east-1a" --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=cm-subnet-public1-us-east-1a}]' --query 'Subnet.SubnetId' --output text)
SUBNET_PUBLIC2=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block "10.0.16.0/20" --availability-zone "us-east-1b" --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=cm-subnet-public2-us-east-1b}]' --query 'Subnet.SubnetId' --output text)
echo "Public Subnet 1 ID: $SUBNET_PUBLIC1"
echo "Public Subnet 2 ID: $SUBNET_PUBLIC2"

# Step 4: Create private subnets
echo "Creating private subnets..."
SUBNET_PRIVATE1=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block "10.0.128.0/20" --availability-zone "us-east-1a" --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=cm-subnet-private1-us-east-1a}]' --query 'Subnet.SubnetId' --output text)
SUBNET_PRIVATE2=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block "10.0.144.0/20" --availability-zone "us-east-1b" --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=cm-subnet-private2-us-east-1b}]' --query 'Subnet.SubnetId' --output text)
echo "Private Subnet 1 ID: $SUBNET_PRIVATE1"
echo "Private Subnet 2 ID: $SUBNET_PRIVATE2"

# Step 5: Create and attach an Internet Gateway
echo "Creating Internet Gateway..."
IGW_ID=$(aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=cm-igw}]' --query 'InternetGateway.InternetGatewayId' --output text)
echo "Attaching Internet Gateway to VPC..."
aws ec2 attach-internet-gateway --internet-gateway-id $IGW_ID --vpc-id $VPC_ID

# Step 6: Create a public route table and routes
echo "Creating public route table..."
RTB_PUBLIC=$(aws ec2 create-route-table --vpc-id $VPC_ID --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=cm-rtb-public}]' --query 'RouteTable.RouteTableId' --output text)
echo "Creating route for Internet access in the public route table..."
aws ec2 create-route --route-table-id $RTB_PUBLIC --destination-cidr-block "0.0.0.0/0" --gateway-id $IGW_ID

# Step 7: Associate public route table with public subnets
echo "Associating public route table with public subnets..."
aws ec2 associate-route-table --route-table-id $RTB_PUBLIC --subnet-id $SUBNET_PUBLIC1
aws ec2 associate-route-table --route-table-id $RTB_PUBLIC --subnet-id $SUBNET_PUBLIC2

# Step 8: Allocate an Elastic IP for NAT Gateway
echo "Allocating Elastic IP for NAT Gateway..."
EIP_ALLOC_ID=$(aws ec2 allocate-address --domain "vpc" --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=cm-eip-us-east-1a}]' --query 'AllocationId' --output text)

# Step 9: Create a NAT Gateway in the public subnet
echo "Creating NAT Gateway..."
NAT_GW_ID=$(aws ec2 create-nat-gateway --subnet-id $SUBNET_PUBLIC1 --allocation-id $EIP_ALLOC_ID --tag-specifications 'ResourceType=natgateway,Tags=[{Key=Name,Value=cm-nat-public1-us-east-1a}]' --query 'NatGateway.NatGatewayId' --output text)
echo "NAT Gateway ID: $NAT_GW_ID"

# Step 10: Create private route tables and routes through NAT Gateway
echo "Creating private route table 1..."
RTB_PRIVATE1=$(aws ec2 create-route-table --vpc-id $VPC_ID --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=cm-rtb-private1-us-east-1a}]' --query 'RouteTable.RouteTableId' --output text)
echo "Creating route in private route table 1 through NAT Gateway..."
aws ec2 create-route --route-table-id $RTB_PRIVATE1 --destination-cidr-block "0.0.0.0/0" --nat-gateway-id $NAT_GW_ID

echo "Creating private route table 2..."
RTB_PRIVATE2=$(aws ec2 create-route-table --vpc-id $VPC_ID --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=cm-rtb-private2-us-east-1b}]' --query 'RouteTable.RouteTableId' --output text)
echo "Creating route in private route table 2 through NAT Gateway..."
aws ec2 create-route --route-table-id $RTB_PRIVATE2 --destination-cidr-block "0.0.0.0/0" --nat-gateway-id $NAT_GW_ID

# Step 11: Associate private route tables with private subnets
echo "Associating private route tables with private subnets..."
aws ec2 associate-route-table --route-table-id $RTB_PRIVATE1 --subnet-id $SUBNET_PRIVATE1
aws ec2 associate-route-table --route-table-id $RTB_PRIVATE2 --subnet-id $SUBNET_PRIVATE2

# Step 12: Verify Route Tables
echo "Verifying route tables..."
aws ec2 describe-route-tables --route-table-ids $RTB_PRIVATE1 $RTB_PRIVATE2